Advisory (ICSA-14-135-04)

Unified Automation OPC SDK OpenSSL Vulnerability

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.

OVERVIEW

On April 09, 2014, Unified Automation GmbH announced that its OPC UA Software Development Kits (SDKs) for Windows included vulnerable OpenSSL libraries. HTTPS support is disabled by default in Unified Automation SDK products. However if HTTPS is used, Unified Automation recommends replacing the OpenSSL library with a current version (1.01.g or later) to mitigate this vulnerability.

This vulnerability could be exploited remotely. Exploits that target this vulnerability are known to be publicly available.

AFFECTED PRODUCTS

The following Unified Automation GmbH OPC UA SDK for Windows versions are affected:

C++ based OPC UA SDK V1.4.0 (Windows), and

ANSI C based OPC UA SDK V1.4.0 (Windows).

IMPACT

If HTTPS is enabled, then use of OPC UA SDK is vulnerable to OpenSSL vulnerability. A missing bounds check in the handling of the TLS Heartbeat extension can be used to reveal up to 64 kB of memory on a connected device. An attacker who successfully exploits this vulnerability could read data passed to this device to include the user credentials and cryptographic keys.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

Unified Automation GmbH is a German-based company with SDKs sold worldwide and a majority of customers in Europe and the United States. SDKs are used in critical manufacturing and energy sectors. The SDKs are used by manufacturers of programmable logic controllers, human-machine interface/supervisory control and data acquisition, Data Logging and Supervisory Control (DSC) systems and some manufacturing execution systems (MES) vendors.

The affected products, C++ based OPC UA SDK V1.4.0 (Windows) and ANSI C-based OPC UA SDK V1.4.0, are software development kits for OPC. Unified Automation offers products and services in the field of standardized communication in automation industry.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFERa

The C++ UA OPC SDK and ANSI C OPC SDK V1.4.0 use the vulnerable version of OpenSSL 1.0.1f. This affects the use of HTTPS connections, if enabled.

CVE-2014-0160b has been assigned to this vulnerability. A CVSS v2 base score of 5.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:N/A:N).c

VULNERABILITY DETAILS

EXPLOITABILITY

This vulnerability could be exploited remotely.

EXISTENCE OF EXPLOIT

Exploits that target this vulnerability are publicly available.

DIFFICULTY

An attacker with a low skill would be able to exploit this vulnerability.

MITIGATION

Unified Automation recommends the following solutions for customers using the HTTPS functionality:

Disable HTTPS transport by configuration in the C++ SDK (default),

Recompile the SDK without HTTPs Support (default), or

Download the current version of OpenSSL from http://www.openssl.org or the personal download area on the Unified Automation web site and recompile the SDK.

Further information from Unified Automation can be found on its web site:

ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls, and isolate them from the business network.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

I Want To

Join the Secure Portal

ICS-CERT encourages U.S. asset owners and operators to join the Control Systems compartment of the US-CERT secure portal. Send your name, e-mail address, and company affiliation to ics-cert@hq.dhs.gov.